REST API Private Integrations

Part 3

This is Part 3 of the series; see here for Part 1 & Part 2 👈

Introduction

A VPC link is a resource within Amazon API Gateway that leverages AWS Hyperplane to provide private integrations to your VPC’s HTTP/HTTPS endpoints. This is the third part of a multi-part series where we go deep into private integrations for Amazon API Gateway. In other words, how API Gateway integrates with HTTP and HTTPS resources within an Amazon Virtual Private Gateway (VPC).

In the first part, “A Deep Dive into VPC Links in Amazon API Gateway”, we compared API Gateway with ALBs and had an overview of AWS Hyperlink, AWS PrivateLink and VPC link. In the second part, “HTTP API Private Integrations” we focused on the advantages of HTTP API and how to configure private integrations with its VPC Link resource.

In this part, we are going to focus on API Gateway REST APIs, how they differ from HTTP APIs and how their reliance on AWS PrivateLink affects how their VPC link resource is set up for private integrations.

API Gateway REST APIs: A Full-Course Meal.

In the second part of this series, HTTP API Private Integrations, we saw that Amazon API Gateway HTTP APIs are the newer API tooling of Amazon API Gateway built to deliver enhanced features, and improved performance but most importantly, an easier developer experience.

AWS PrivateLink and REST APIs

AWS PrivateLink is a powerful feature designed to enhance network security and simplify the architecture of cloud-based services. At its core, AWS PrivateLink enables private connectivity between VPCs (Virtual Private Clouds) and AWS services, ensuring that traffic does not traverse the public internet.

Amazon API Gateway REST APIs on the other hand are a complete package when it comes to managed API Gateway services on AWS, allowing clients to securely build, publish, maintain, monitor and scale RESTful APIs. A full-course meal with many options but with great power comes great responsibility. It supports more features like Caching, AWS WAF, API Keys, per-client rate limiting and usage throttling just to name a few. Here is a complete list of of supported features to guide you in choosing between REST APIs and HTTP APIs. So if you require those advanced API management features then the REST API tooling is what you should use. Similar to HTTP APIs, API Gateway REST APIs can be used to connect to HTTP/HTTPS resources in VPCs. However, its reliance on AWS PrivateLink imposes a few constraints. Let’s have a closer look at AWS PrivateLink.

diagram showing how REST API VPC links connect to VPC's using AWS PrivateLink
REST API private integrations rely on AWS PrivateLink

AWS VPC Link for REST APIs, leverages the capabilities of AWS PrivateLink to connect a public API Gateway REST API to backend services running inside your VPC, ensuring secure and private communication. This setup eliminates the need to expose your services to the public internet, thereby enhancing security and performance.

When using AWS PrivateLink to establish private connectivity, the Service Provider is the owner of the service which could be an AWS public service like EC2, SSM, S3 DynamoDB, AWS Partners like DataDog or other AWS accounts like the account where your backend services are hosted in a VPC.

Now this is very important!

For the service provider to expose a service, they must create an endpoint service to make the service available in a Region and they must specify a load balancer. The load balancer is required to receive the requests from service consumers and route them to the backend service.

This is the reason why all REST API VPC links must terminate on a Network Load Balancer(NLB).

So the endpoint services are your backend services in your VPC and they must be exposed by a NLB.

In AWS PrivateLink setups, the user of an endpoint service is a **service consumer.** The service consumer creates a VPC interface endpoint in their VPC to connect to the provider's endpoint service. The VPC interface endpoint is a resource within the consumer’s VPC that creates an Elastic Network Interface (ENI) to expose the service provider’s service which could be in another VPC, another AWS account or a public AWS Service.

How does AWS PrivateLink map to our REST API and backend services in our VPC?

When it comes to Amazon API Gateway REST API private integrations, the service consumer is the Amazon API Gateway’s service VPC. And the service provider is the VPC that hosts the HTTP/HTTPS backend resources.

If you’ve ever had to consume a PrivateLink endpoint service, you know the steps required to create the consumer’s VPC interface endpoint. When it comes to our API Gateway private integrations, the consumer is the API Gateway service’s VPC which you do not have direct access to.

What basically happens is you indirectly create the AWS PrivateLink consumer’s VPC interface endpoint in the API Gateway service’s VPC via the VPC Link resource that is available in your REST API**.**

In essence, the configuration of the API Gateway VPC link resource automates the creation and management of the service consumer’s interface VPC Endpoint in the API Gateway service’s VPC.

Let’s see how we can therefore create a REST API VPC Link resource.

How to set up Private Integrations for REST APIs

Note that the steps below only show how the VPC link resource is set up for REST APIs and presuming there are already existing backend HTTP/HTTPS resources in a VPC exposed by an internal NLB and a REST API.

You can follow this tutorial to Set up a Network Load Balancer for API Gateway private integrations.

If you are integrating into an existing NLB, note that you must turn off security group evaluation for PrivateLink traffic.

Let’s examine how simple this is in the AWS Management Console and via Infrastructure as Code.

AWS Management Console setup

You can setup private integrations for your HTTP APIs in the AWS Management Console with the following steps:

Step 1: Create a VPC link

  • Head to the Amazon API Gateway Console and click on “VPC links” in the left menu bar.
picture showing the VPC link menu bar
VPC Link for REST APIs


  • Click on “Create” to open up the VPC link configuration page
picture showing the VPC link creation settings
VPC Link for REST APIs


  • Select VPC link for REST APIs
picture showing create VPC link settings
VPC Link for REST APIs


  • Provide a name for the VPC link resource
  • Select the Network Load Balancer (NLB) that the VPC link will connect to.
  • Click on “Create” to create the VPC link resource
picture showing create VPC link settings
VPC Link for REST APIs


You will return to the VPC links page while the VPC link resource is being created. Take note of the VPC link ID which in our case is 'ioyupn'. We will need it when setting up the private integration for our REST API

picture showing the creation of VPC links for REST APIs
VPC Link for REST APIs


Step 2: Create a private integration

  • Go to your REST API and create a method under an API resource
picture showing the creation of VPC links for REST APIs
REST API Resources


  • Select “ANY” from the “Method type” drop down menu.
  • For Integration type, select “VPC link”.
  • Enable ‘VPC proxy integration”.
picture showing the creation of VPC links for REST APIs
Create API method details


  • Select “ANY” from the HTTP method drop down menu
  • From the VPC link drop down menu, select “[Use stage variable]”. We will provide the VPC link ID for the 'VPCLINK' stage variable after deploying the changes to the API.
  • In the endpoint URL, we will provide the reference to the 'VPCNLB' stage variable which will hold the value of the DNS name of our NLB.
  • Leave all the other defaults and click on “Create method”.
picture showing the creation of VPC links for REST APIs
Create API method details


  • Click on “Deploy API”
picture showing the creation of VPC links for REST APIs
Deploy API


  • Choose a stage or create one if you haven’t yet deployed the API
  • Click on “Deploy”
picture showing the creation of VPC links for REST APIs
REST API deployment


  • Once the API is deployed, you will be taken to the Stages section. Copy the Invoke URL which you will use to query your API
picture showing the creation of VPC links for REST APIs
Create API Stages


  • Remember we used stage variables for the VPC link ID and the Endpoint URL. Scroll down to the bottom and while in the “Stage variables” tab, click on “Manage” variables.
picture showing the creation of stage variables for REST APIs
Manage stage variables


  • Click on the “Add stage variable” button twice for the 2 stage variables.
picture showing the creation of stage variables for REST APIs
Add stage variables


  • For 'VPCLINK' enter the VPC link ID and
  • For 'VPCNLB' enter the NLB DNS name.
  • Click on “Save” and you are done.
picture showing the creation of stage variables for REST APIs
Add stage variables


Summary

Though API Gateway REST API’s offer the full capabilities of Amazon API Gateway, they unfortunately have a constraint when connecting it comes to their private integrations due to their reliance on AWS PrivateLink. Consequently, you must connect to an existing NLB or configure one. Since you do not have access to the API Gateway’s service VPC,  the REST API’s VPC Link resource abstracts the AWS PrivateLink consumer implementation for you. In the next part of this series, “Scaling Amazon API Gateway Private Integrations”, we will look at some common patterns and how scalability can be achieved depending on which type of API Gateway tooling you use.

References

What is AWS PrivateLink? - Amazon Virtual Private Cloud

Get started with AWS PrivateLink - Amazon Virtual Private Cloud

Serverless Handbook
Access free book

The dream team

At Serverless Guru, we're a collective of proactive solution finders. We prioritize genuineness, forward-thinking vision, and above all, we commit to diligently serving our members each and every day.

See open positions

Looking for skilled architects & developers?

Join businesses around the globe that trust our services. Let's start your serverless journey. Get in touch today!
Ryan Jones
Founder
Book a meeting
arrow
Founder
Eduardo Marcos
Chief Technology Officer
Chief Technology Officer
Book a meeting
arrow

Join the Community

Gather, share, and learn about AWS and serverless with enthusiasts worldwide in our open and free community.